Salesforce Sales Cloud - How to Test Revoking a Salesforce OAuth Token and Re-Authenticating Your Instances Through API

In this article, we will discuss how, if you are setting up a framework to re-authenticate instances of Salesforce Sales Cloud (SFDC), you can know how you can test that your process was successful. We will look into how to revoke an SFDC OAuth token and we will also go over a scenario that you can run through to test and ensure that your re-authentication process through API call is successful.

1. The first step is to access your SFDC account and create an OAuth/Connected App that has scopes of both 'full' and 'refresh_token, offline_access'. It is also important to pay attention to the 'Refresh Token Policy' that you set on your Connect App because that can impact your ability to re-authenticate with this described process as well.


2. Next authenticate an instance through API. The required calls and payloads are already discussed in the developer docs.


3. Access your Cloud Elements account, locate your new SFDC instance, and copy the auth header (user/org/element tokens) from the instance. For instance you can copy the full Authorization header from any endpoint after selecting your instance.

4. Now revoke the user's OAuth token either through the SFDC interface or through an API call to SFDC directly.

5. a) Revoke through the SFDC website by accessing: Setup -> Manage Apps -> Connected Apps OAuth Usage -> User Count.

Then simply click the 'Revoke' option for the desired user token you want to revoke.

5. b) Or you can use Postman or another tool to make an API call to GET /instances with your full Cloud Elements auth header including the element token, and retrieve the current oauth.user.token value.

Then make a POST to this URL to revoke the OAuth token for this instance. The Bearer in this case is equivalent to your user's OAuth token. 

- https://{SFDC-Instance}.salesforce.com/services/oauth2/revoke?token=#####

- https://help.salesforce.com/articleView?id=remoteaccess_revoke_token.htm&type=5



7. Confirm that the SFDC instance is no longer authenticated.

8. Make an API call to GET /oauth/url just as you did when you initially provisioned your instance of SFDC.

9. Access the OAuth URL generated, login to SFDC, and retrieve the provider code.

10. Make an API call to PATCH /instances with the full Cloud Elements auth header retrieved previously, blank oauth.user.refresh_token and oauth.user.token values, and the providerData.code value in the body.

11. Confirm a successful response, and verify that the SFDC instance was successfully re-authenticated.

If you are interested in seeing this process demo'ed through a quick video you can find that here:

Note that there can also be scenarios where re-authentication through API must be made via a PUT /instances containing the full instance configuration as opposed to a PATCH /instances. This can be necessary if the token has expired or if the OAuth token is revoked through alternate means than what was discussed in this article.